Adopting a new operating model? Don’t leave your business exposed

As businesses adapt operations to weather Covid-19, security teams must be aware of new threats, writes Paul Harragan

The Covid-19 pandemic has led many companies to alter the way they conduct business, in many cases evolving to a new way of running operations. Some businesses have been fortunate where operating models have stayed in line with “Business as Usual”. However, in most cases businesses have either had to adapt or evolve into a new operating model.

Information security and cyber defence teams have a challenge ahead of them, they will not only have to run normal day-to-day operations but now must understand the new threat vectors that are being introduced that widen the threat landscape, and work to minimise cyber risk so businesses stay protected.

Restructuring scenarios

Here are the four most popular restructuring scenarios businesses are adopting right now:

1. Business model generally stays the same – However, the workforce now is working remotely, typically from home, potentially for a prolonged period (between 1-12 months).
2. Mothball / Hibernation – A company puts on hold its usual business model and adapts to serve the customer base in different ways. This typically occurs if either the business has enough funds to keep itself going or has been granted a lifeline (for example a government grant) to continue operations.
3. Pivot – The operating model has now changed or evolved. Typically, this is due to a business not being able to maintain itself in its current shape or form. Adjustments to the operating model can lead to new ventures and a more profitable and economical business venture. An example of this would be a B2B retail store selling office ergonomic furniture. As demand has moved from corporate customers to individuals, serving the home market using an e-commerce platform has now become a new and viable business operating model.
4. Administration / Liquidation – The business can no longer survive and has the responsibility to dispose of the assets and data in a safe compliant manner.

New risks

As businesses undergo these changes, information security and cyber defence teams will need to focus and understand the new attack surface.

‘Working from home’ security and privacy may introduce new threats that businesses are not used to monitoring. It is critical to ensure IT helpdesk and security teams are working closely together as many of the risks and issues will be reported via the helpdesk.

The below highlights the potential risks your business should be aware of:

• Be aware that opening ports to support the business operations may introduce risks that the adversaries will look to exploit, such as RDP (3389).
• Enforcing the use of VPNs will be vital to ensure that all business communications maintain privacy via encryption.
• Try to prevent users downloading corporate IP onto their endpoint devices, to reduce risks of data leak.
• When introducing new tools to enable business operations, they will need to go through third-party security assessments before deploying. An example of this would be introducing a ‘Video Conferencing (VC)’ software. Whilst this will enable the business to operate we have seen in recent weeks that not all VC solutions are secure and fit-for-purpose.
• Configure and tune the 24/7 monitoring platform (SIEM) to log all endpoint assets outside of the business perimeter.
• Remote upgrades and patching to be enforced.
• Vulnerability scanning frequency to increase.
• Perform frequent cyber security risk assessments to assess hygiene.
• User Awareness – Training users to understand the risks of home working, as well as giving them the tools to identify and report them. These include phishing attempts, accessing malicious URLs, not letting children use dedicated work devices, and so on.

Scenario-specific dangers

When mothballing a business, security measures still need to be maintained to secure corporate IP, valued data and assets as the business shuts and the workforce decreases. Typically, there is a tendency to save costs and to reduce operations. However, this cannot be the case with regards to security operations. The size and shape of the operation can change but ensure the focus on protecting core assets is maintained. To ensure the business still exists and can be operated when bouncing back from mothballing / hibernation, cyber hygiene must have been preserved and no malicious adversaries have either breached the perimeter or leaked any data.

When pivoting a business, there is a tendency to restructure security operations and refocus budget allocations. It is key to understand the new risk matrix for the business. Do the same metrics still apply or do new tolerance levels need to be evaluated? What could have been an accepted risk before may now not apply. In line with this, new budgets need to be established to ensure that funds for security operations will now be aligned with the business model. This can lead to new ventures, synergies, tooling and can possibly lead to cost efficiencies (for example human capital reduction).

Lastly, when closing a business, there is a risk of both corporate IP and sensitive data being exposed. Best practices, with regard to data and asset disposal, need to be identified in line with the country-specific regulations.

Final thoughts

The future is uncertain. But whatever the approach your business has taken, security is more important than it has ever been. Attackers are adapting fast to new situations introducing new risk to your business whilst you are restructuring and are potentially more vulnerable. Creating a relevant user awareness training programme and performing regular cyber security risk assessments can help the business understand its new threat landscape. This will contribute to implementing a solid cyber security foundation which is key to ensuring a safe and secure transition to your new business model.